UK government’s plans for reforming the Data Protection Act published today

The government is announcing today how it plans to reform the UK’s Data Protection Act.

The government’s starting point is reflected in the statement by Digital Secretary, Nadine Dorries, who framed the reform as a post-Brexit win: “Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.”

Some aspects will probably be widely welcomed, such as an increase in “financial penalties for those pestering people with nuisance calls” and minimising the number of cookie pop-ups people see on the internet.

The government has summarised this major reform in five main areas and the following paragraphs are extracts from the DCMS’s announcement.

Reducing burdens on businesses

The government’s new data protection rules will be focused on outcomes to reduce unnecessary burdens on businesses.

This bill will remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks - including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments.

Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.

Protecting consumers from nuisance calls and unnecessary cookies

The fines will increase from the current maximum of £500,000 and be brought in line with current UK GDPR penalties which are up to four per cent global turnover or £17.5 million, whichever is greater.

The government’s new opt-out model for cookies will heavily reduce the need for users to click through consent banners on every website they visit - meaning that people will see far fewer of the frustrating boxes online.

Before the legislative changes are commenced, the government will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt out via automated means. This will help web users to retain choice and control over how their data is used.

Modernising the Information Commissioner’s Office

The ICO will be modernised to have a chair, chief executive and a board to make sure it remains an internationally renowned regulator. The change will introduce a wider set of skills to support robust decision-making and broaden the legal responsibility underpinning the ICO’s work, which currently sits solely with the role of Information Commissioner.

Strategic objectives will be set out in the Bill. They will underline the importance of the regulator continuing to uphold data rights and encouraging the responsible use of personal data, but will have greater emphasis on taking into account growth, innovation and competition.

The reforms will introduce a new way for how the ICO develops statutory codes and guidance, which share best practices for organisations using, sharing or storing personal data in specific instances, such as protecting children’s data online.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament.

Enabling the innovative use of data

The reforms will further cement the UK’s position as a science superpower by simplifying the legal requirements around research so that scientists are not needlessly impeded from using data to innovate and make major breakthroughs.

The Data Reform Bill will more clearly define the scope of scientific research and give scientists clarity about when they can obtain user consent to collect or use data for broad research purposes.

Empowering international trade

The UK is committed to maintaining high data protection standards and continuing the free flow of personal data between like-minded countries. The data reforms will support the UK government’s ambitions to strike new data partnerships with important economies and improve international data transfers which a number of technologies rely on, such as GPS navigation, smart home technology and content streaming services.

The government continues to work closely with international partners on data adequacy deals with priority countries, including the United States, Australia, the Republic of Korea and Singapore.

PL&B Comments

1. Not mentioned in the government’s statement is its need to steer a course between taking an independent UK line and not risking the UK’s adequacy declaration from the European Commission which enables the free flow of personal data between the UK and the European Economic Area. For most companies doing business internationally, this is a major concern.

2. The EU’s adequacy declaration for the UK is due to be reviewed by the European Commission together with the other countries in the adequacy group. The UK policy officials have been briefing their European Commission counterparts on the reform. But the European Commission policy team will be able to assess the plans only when they read the detailed policy documents.

3. The announcement’s section on the role of the Information Commissioner is somewhat ambiguous in that John Edwards, Information Commissioner, declares: “I am pleased to see the government has taken our concerns about independence on board.” But on the other hand, the DCMS states: “The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament.”

4. The language of the government’s announcement has a focus on reducing burdens for business and cutting costs. It states that “the reforms will create more than £1 billion in business savings over ten years by reducing these burdens on all businesses.” There is little focus on individuals’ rights which is the purpose of the data protection law. The minister argues that the reform package “retains our global gold standard for data protection.” Critics will look at the detail of how the reform can at the same time pull away from the EU GDPR and at the same time keep to the widely recognised EU gold standard.

5. The list of countries in the announcement with which the government is discussing international data agreements include Korea, although this is a country with which the EU has already granted an adequacy agreement. This means that, in principle, Korea should not need to be on the UK’s list because the UK accepted all the adequate countries as part of the Brexit agreement negotiated with the EU.

To help understanding of the government’s reform, PL&B has organised two events at which you can put questions to the DCMS data protection reform policy team and give your feedback and recommendations:

  • There is a session at Winds of Change, PL&B’s 35th Anniversary International Conference on Tuesday 5 July: UK privacy post-Brexit: What’s changed and what’s to come? 
  • We will set a new date in July for the postponed event: Memo to the DCMS MinisterA Roundtable to enable companies and their advisors, to provide feedback and constructive comments to Julia Lopez, DCMS Minister, on the government’s proposals on reforming UK data protection legislation.